Konrad Kollnig scite author profile

While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy. We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children’s category, iOS apps tended to use fewer advertising-related tracking than their Android counterparts, but could more often access children’s location. Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law, including 1) the use of third-party tracking without user consent, 2) the lack of parental consent before sharing personally identifiable information (PII) with third-parties in children’s apps, 3) the non-data-minimising configuration of tracking libraries, 4) the sending of personal data to countries without an adequate level of data protection, and 5) the continued absence of transparency around tracking, partly due to design decisions by Apple and Google. Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.

show abstract

Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels

Kollnig

Shuba

Kleek

et al. 2022

View full text Add to dashboard Cite

Tracking is a highly privacy-invasive data collection practice that has been ubiquitous in mobile apps for many years due to its role in supporting advertising-based revenue models. In response, Apple introduced two significant changes with iOS 14: App Tracking Transparency (ATT), a mandatory opt-in system for enabling tracking on iOS, and Privacy Nutrition Labels, which disclose what kinds of data each app processes. So far, the impact of these changes on individual privacy and control has not been well understood. This paper addresses this gap by analysing two versions of 1,759 iOS apps from the UK App Store: one version from before iOS 14 and one that has been updated to comply with the new rules.We find that Apple's new policies, as promised, prevent the collection of the Identifier for Advertisers (IDFA), an identifier for cross-app tracking. Smaller data brokers that engage in invasive data practices will now face higher challenges in tracking users -a positive development for privacy. However, the number of tracking libraries has -on average -roughly stayed the same in the studied apps. Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting). We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple's policies. We find that Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring from its new tracking rules. We also find that the new Privacy Nutrition Labels are sometimes inaccurate and misleading, especially in less popular apps.Overall, our observations suggest that, while Apple's changes make tracking individual users more difficult, they motivate a countermovement, and reinforce existing market power of gatekeeper

show abstract

Before and after GDPR: tracking in mobile apps

Kollnig¹,

Binns²,

Kleek³

et al. 2021

View full text Add to dashboard Cite

Third-party tracking, the collection and sharing of behavioural data about individuals, is a significant and ubiquitous privacy threat in mobile apps. The EU General Data Protection Regulation (GDPR) was introduced in 2018 to protect personal data better, but there exists, thus far, limited empirical evidence about its efficacy. This paper studies tracking in nearly two million Android apps from before and after the introduction of the GDPR. Our analysis suggests that there has been limited change in the presence of third-party tracking in apps, and that the concentration of tracking capabilities among a few large gatekeeper companies persists. However, change might be imminent.

show abstract

Mind-proofing Your Phone: Navigating the Digital Minefield with GreaseTerminator

Datta¹,

Kollnig²,

Shadbolt³

2021

Preprint

View full text Add to dashboard Cite

Digital harms are widespread in the mobile ecosystem. As these devices gain ever more prominence in our daily lives, so too increases the potential for malicious attacks against individuals. The last line of defense against a range of digital harms -including digital distraction, political polarisation through hate speech, and children being exposed to damaging material -is the user interface. This work introduces GreaseTerminator to enable researchers to develop, deploy, and test interventions against these harms with end-users. We demonstrate the ease of intervention development and deployment, as well as the broad range of harms potentially covered with GreaseTerminator in five in-depth case studies.CCS Concepts: • Human-centered computing → Systems and tools for interaction design; Accessibility systems and tools.

show abstract

I Want My App That Way: Reclaiming Sovereignty Over Personal Devices

Kollnig

Datta

Kleek

2021

View full text Add to dashboard Cite

Dark patterns in mobile apps take advantage of cognitive biases of end-users and can have detrimental efects on people's lives. Despite growing research in identifying remedies for dark patterns and established solutions for desktop browsers, there exists no established methodology to reduce dark patterns in mobile apps. Our work introduces GreaseDroid, a community-driven app modifcation framework enabling non-expert users to disable dark patterns in apps selectively. CCS CONCEPTS• Human-centered computing → Systems and tools for interaction design; Accessibility systems and tools; • Security and privacy → Software reverse engineering.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Konrad Kollnig

Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps

Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels

Before and after GDPR: tracking in mobile apps

Mind-proofing Your Phone: Navigating the Digital Minefield with GreaseTerminator

I Want My App That Way: Reclaiming Sovereignty Over Personal Devices

Contact Info

Product

Resources

About